@vess-id/ai-identity 0.10.0 → 0.12.0

package/dist/vp/kb-jwt-builder.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Single source of truth for Key Binding JWT (KB-JWT) issuance shared across
+ * the AIdentity stack. Four production code paths build KB-JWTs and they
+ * MUST stay byte-for-byte equivalent so a presentation built on one side is
+ * accepted by the verifier on the other:
+ *
+ *   - SDK clients via `VPManager.create()` (this package)
+ *   - API service via `packages/api/src/vp/vp-creation.service.ts`
+ *   - Remote MCP via `packages/remote-mcp/src/services/vp-creation.service.ts`
+ *   - agentd (`@vess-id/vess`) via `VPBuilder.buildVP()`
+ *     (`packages/agentd/src/wallet/vp-builder.ts`)
+ *
+ * Historically each path had its own copy of this logic. PR #391 (the
+ * commit that made `exp` REQUIRED on the verifier side) updated only two of
+ * the three issuer paths known at the time; the SDK was missed and every
+ * SDK-built VP started failing at verification time. The follow-up
+ * consolidation (commit 02b169aa) brought the SDK in line, but agentd —
+ * which had its own KB-JWT literal in `wallet/vp-builder.ts` — was not
+ * recognized as a fourth issuer. Staging then rejected every VP from
+ * `@vess-id/vess` agentd alpha builds with `KB-JWT missing exp` until the
+ * agentd hotfix (this commit's cohort) wired its VPBuilder through
+ * `buildKbJwtPayload()`. This module exists so that a future verifier
+ * change cannot drift from the issuer side: any update lands in one place
+ * and all four paths inherit it.
+ */
+/**
+ * Default KB-JWT lifetime in seconds. Mirrors the cap enforced by the API's
+ * `KeyBindingVerifierService.MAX_KB_JWT_LIFETIME_SECONDS` (also 300).
+ *
+ * The KB-JWT `exp` is the smaller of:
+ *   - `iat + KB_JWT_DEFAULT_LIFETIME_SECONDS`
+ *   - the parent VC's `exp` (so the bearer's freshness window cannot outlive
+ *     the underlying credential's validity, which is itself bounded by
+ *     `grant.expiresAt` at issuance time).
+ */
+export declare const KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
+export interface KbJwtPayload {
+    iss: string;
+    aud: string;
+    nonce: string;
+    iat: number;
+    exp: number;
+}
+export interface BuildKbJwtPayloadArgs {
+    /** Holder DID — becomes the KB-JWT `iss` claim. */
+    holderDid: string;
+    /** Verifier audience (URL or hostname). Will be normalized via {@link normalizeDomain}. */
+    audience: string;
+    /** Verifier-supplied nonce / challenge. */
+    nonce: string;
+    /** The parent SD-JWT VC string. Its `exp` (if any) caps the KB-JWT lifetime. */
+    vcCredential: string;
+}
+export interface BuildKbJwtPayloadDeps {
+    /** Returns the current time in milliseconds. Defaults to `Date.now`. */
+    now?: () => number;
+}
+/**
+ * Build a Key Binding JWT payload for an SD-JWT VC presentation.
+ *
+ * Throws when the parent VC is already expired (`vc.exp <= now`). The error
+ * message intentionally contains the substring `"VC has expired"` so that
+ * downstream catchers (notably remote-mcp's `isCredentialInvalidError`) can
+ * detect a stale-credential condition and trigger a re-approval flow rather
+ * than surface an opaque issuance failure to the user.
+ */
+export declare function buildKbJwtPayload(args: BuildKbJwtPayloadArgs, deps?: BuildKbJwtPayloadDeps): KbJwtPayload;
+/**
+ * Best-effort read of the VC's `exp` claim from the SD-JWT outer payload.
+ * Returns undefined when the VC is malformed, missing exp, or the field is
+ * not a number — callers fall back to {@link KB_JWT_DEFAULT_LIFETIME_SECONDS}
+ * in that case so issuance does not break for VCs without an explicit expiry.
+ */
+export declare function readVcExpSeconds(sdJwtVc: string): number | undefined;
+/**
+ * Normalize a domain string for consistent use as a JWT `aud` claim.
+ *
+ * The API verifier compares the KB-JWT `aud` against the expected domain by
+ * exact string match, so issuer and verifier must agree on the canonical
+ * form. We delegate to the URL parser, which strips paths and lowercases
+ * the host, then return the resulting `origin`.
+ *
+ * Inputs without a scheme are assumed to be hostnames; `localhost` (with or
+ * without a port) defaults to `http://`, everything else to `https://`. If
+ * URL parsing fails, the input is returned unchanged so a caller can still
+ * detect the mismatch downstream rather than silently swallowing a typo.
+ */
+export declare function normalizeDomain(domain: string): string;
+//# sourceMappingURL=kb-jwt-builder.d.ts.map

package/dist/vp/kb-jwt-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kb-jwt-builder.d.ts","sourceRoot":"","sources":["../../src/vp/kb-jwt-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,+BAA+B,MAAM,CAAA;AAElD,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,MAAM,WAAW,qBAAqB;IACpC,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAA;IACjB,2FAA2F;IAC3F,QAAQ,EAAE,MAAM,CAAA;IAChB,2CAA2C;IAC3C,KAAK,EAAE,MAAM,CAAA;IACb,gFAAgF;IAChF,YAAY,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,qBAAqB,EAC3B,IAAI,GAAE,qBAA0B,GAC/B,YAAY,CAqBd;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAUpE;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAgBtD"}

package/dist/vp/vp-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vp-manager.d.ts","sourceRoot":"","sources":["../../src/vp/vp-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAE5D,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAK/C,qBAAa,SAAS;IACpB,OAAO,CAAC,UAAU,CAAY;gBAElB,UAAU,CAAC,EAAE,UAAU;IAMnC;;;OAGG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EAAE,EAAE,6BAA6B;IAC5C,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,OAAO,CAAC,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC,MAAM,CAAC;IA8ClB;;OAEG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,OAAO,EAAE;QACP,iBAAiB,EAAE,MAAM,CAAA;QACzB,cAAc,EAAE,MAAM,CAAA;QACtB,cAAc,CAAC,EAAE,MAAM,CAAA;KACxB,GACA,OAAO,CAAC,sBAAsB,CAAC;IAwClC;;OAEG;IACH,aAAa,CACX,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE;QACN,IAAI,CAAC,EAAE,MAAM,CAAA;QACb,eAAe,CAAC,EAAE,GAAG,CAAA;KACtB,GACA,SAAS;IAQZ;;OAEG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;CAehD"}
+{"version":3,"file":"vp-manager.d.ts","sourceRoot":"","sources":["../../src/vp/vp-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAE5D,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAM/C,qBAAa,SAAS;IACpB,OAAO,CAAC,UAAU,CAAY;gBAElB,UAAU,CAAC,EAAE,UAAU;IAMnC;;;OAGG;IACG,MAAM,CACV,GAAG,EAAE,MAAM,EAAE,EAAE,6BAA6B;IAC5C,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;QACd,OAAO,CAAC,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC,MAAM,CAAC;IA6ClB;;OAEG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,OAAO,EAAE;QACP,iBAAiB,EAAE,MAAM,CAAA;QACzB,cAAc,EAAE,MAAM,CAAA;QACtB,cAAc,CAAC,EAAE,MAAM,CAAA;KACxB,GACA,OAAO,CAAC,sBAAsB,CAAC;IAwClC;;OAEG;IACH,aAAa,CACX,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE;QACN,IAAI,CAAC,EAAE,MAAM,CAAA;QACb,eAAe,CAAC,EAAE,GAAG,CAAA;KACtB,GACA,SAAS;IAQZ;;OAEG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;CAehD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vess-id/ai-identity",
-  "version": "0.10.0",
+  "version": "0.12.0",
   "description": "TypeScript SDK for AI Identity Layer",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -21,40 +21,34 @@
     "url": "https://github.com/cvoxelprotocol/aidentity.git",
     "directory": "packages/sdk"
   },
-  "scripts": {
-    "build": "tsup && tsc --declaration --emitDeclarationOnly --outDir dist",
-    "dev": "tsup --watch",
-    "test": "jest",
-    "typecheck": "tsc --noEmit",
-    "clean": "rm -rf dist node_modules",
-    "semantic-release": "semantic-release"
-  },
   "dependencies": {
     "@sd-jwt/crypto-nodejs": "^0.15.0",
     "@sd-jwt/sd-jwt-vc": "^0.15.1",
     "@sd-jwt/types": "^0.15.0",
-    "ajv": "^8.17.1",
+    "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
-    "jose": "^5.1.0",
-    "uuid": "^9.0.0"
+    "jose": "^5.10.0",
+    "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.0",
-    "@types/node": "^20.10.0",
-    "@types/uuid": "^9.0.0",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^20.19.39",
+    "@types/uuid": "^9.0.8",
     "jest": "^29.7.0",
-    "ts-jest": "^29.1.0",
-    "tsup": "^8.0.0",
-    "typescript": "^5.3.0",
-    "@semantic-release/commit-analyzer": "^13.0.1",
-    "@semantic-release/github": "^12.0.6",
-    "@semantic-release/npm": "^13.0.0",
-    "@semantic-release/release-notes-generator": "^14.1.0",
-    "conventional-changelog-conventionalcommits": "^9.3.0",
-    "semantic-release": "^25.0.3"
+    "ts-jest": "^29.4.9",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
   },
   "publishConfig": {
     "access": "public"
   },
-  "license": "MIT"
-}
+  "license": "MIT",
+  "scripts": {
+    "build": "tsup && tsc --declaration --emitDeclarationOnly --outDir dist",
+    "dev": "tsup --watch --no-clean",
+    "test": "jest",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist node_modules",
+    "assert:publish-surface": "node scripts/assert-publish-surface.js"
+  }
+}

package/dist/memory/memory-manager.d.ts

@@ -1,77 +0,0 @@
-import { VPManager } from '../vp/vp-manager';
-/**
- * NOTE: MemoryManager is currently DORMANT (as of 2026-03-29).
- * The API memory endpoints exist but are not actively called in production.
- * The server-side implementation (InMemoryProvider) is volatile and not shared across instances.
- * Do not rely on this in production until a persistent backend is introduced.
- */
-export interface MemoryDocument {
-    id: string;
-    namespace: string;
-    content: string;
-    metadata?: Record<string, any>;
-    embedding?: number[];
-    createdAt: string;
-    updatedAt: string;
-}
-export interface MemoryQuery {
-    query: string;
-    namespace?: string;
-    limit?: number;
-    filter?: Record<string, any>;
-    includeEmbedding?: boolean;
-}
-export interface MemoryQueryResult {
-    documents: MemoryDocument[];
-    scores?: number[];
-    total: number;
-}
-export declare class MemoryManager {
-    private vpManager;
-    private proxyApiUrl;
-    constructor(vpManager?: VPManager);
-    /**
-     * Write a document to memory
-     */
-    write(content: string, options: {
-        namespace: string;
-        metadata?: Record<string, any>;
-        vcs: string[];
-        holderDid: string;
-    }): Promise<MemoryDocument>;
-    /**
-     * Query memory with vector search
-     */
-    query(query: string, options: {
-        namespace?: string;
-        limit?: number;
-        filter?: Record<string, any>;
-        vcs: string[];
-        holderDid: string;
-    }): Promise<MemoryQueryResult>;
-    /**
-     * Delete a document from memory
-     */
-    delete(documentId: string, options: {
-        namespace: string;
-        vcs: string[];
-        holderDid: string;
-    }): Promise<void>;
-    /**
-     * List documents in a namespace
-     */
-    list(options: {
-        namespace: string;
-        limit?: number;
-        offset?: number;
-        vcs: string[];
-        holderDid: string;
-    }): Promise<MemoryQueryResult>;
-    /**
-     * Check if VCs authorize memory access
-     */
-    checkAuthorization(vcs: string[], action: 'read' | 'write' | 'delete', resource: string): Promise<boolean>;
-    private matchResource;
-    private generateChallenge;
-}
-//# sourceMappingURL=memory-manager.d.ts.map

package/dist/memory/memory-manager.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"memory-manager.d.ts","sourceRoot":"","sources":["../../src/memory/memory-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAA;AAG5C;;;;;GAKG;AAEH,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAA;IACV,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAC9B,SAAS,CAAC,EAAE,MAAM,EAAE,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAC5B,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,cAAc,EAAE,CAAA;IAC3B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;CACd;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,SAAS,CAAW;IAC5B,OAAO,CAAC,WAAW,CAAQ;gBAEf,SAAS,CAAC,EAAE,SAAS;IAMjC;;OAEG;IACG,KAAK,CACT,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC9B,GAAG,EAAE,MAAM,EAAE,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,GACA,OAAO,CAAC,cAAc,CAAC;IAkC1B;;OAEG;IACG,KAAK,CACT,KAAK,EAAE,MAAM,EACb,OAAO,EAAE;QACP,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC5B,GAAG,EAAE,MAAM,EAAE,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,GACA,OAAO,CAAC,iBAAiB,CAAC;IA0C7B;;OAEG;IACG,MAAM,CACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,GAAG,EAAE,MAAM,EAAE,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,GACA,OAAO,CAAC,IAAI,CAAC;IA8BhB;;OAEG;IACG,IAAI,CAAC,OAAO,EAAE;QAClB,SAAS,EAAE,MAAM,CAAA;QACjB,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,GAAG,EAAE,MAAM,EAAE,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAoC9B;;OAEG;IACG,kBAAkB,CACtB,GAAG,EAAE,MAAM,EAAE,EACb,MAAM,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,EACnC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAwBnB,OAAO,CAAC,aAAa;IASrB,OAAO,CAAC,iBAAiB;CAG1B"}